Using Bit. Locker Without a Trusted Platform Module Microsoft introduced Bit. Locker Drive Encryption (BDE), or Bit. Locker, in Windows Server 2. Windows Vista. Bit.
Locker offers volume- level data encryption for data stored on Windows clients and servers and protects the data when systems are offline (i. OS is shut down). Bit. Locker can prevent data breaches such as the theft of confidential corporate data on employee laptop computers. In previous Windows versions this protection wasn't possible without a third- party product. When Bit. Locker is applied to the system volume, it can provide a file- integrity checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector when the system boots and before the OS starts. If a hacker inserts malicious code into one of the boot files or modifies one of the files, Bit. Locker will detect it and block the OS from starting.
BitLocker protects that data. Offers forums for discussion, an integrated directory, daily news, and other services geared towards security professionals and users of security products. Cisco VPN Client for Windows Vista, release 5.0.0.340, does not support the following: . Malware spreading in recent outbreak is not ransomware, as “petya” had been altered to wipe and destroy system memory, suggesting a nation state was behind it. If you're unable to successfully start Windows 7 due to a Blue Screen of Death, you won't be able to disable the automatic restart on system failure option as. Harden Windows 10 - A Security Guide gives detailed instructions on how to secure Windows 10 machines and prevent it from being compromised. We will harden the system.
In the initial release, only a single volume—the OS drive—could be Bit. Locker protected. In Server 2. 00. 8 and Vista SP1, Microsoft added support for Bit. Locker protection of different volumes, including local data volumes.
In Server 2. 00. 8 R2 and Windows 7, Microsoft added Bit. Locker support for removable data drives (e. This feature is called Bit.
Locker To Go. For an overview of the disk configurations that Bit. Locker supports, see Microsoft’s “Bit. Locker Drive Encryption in Windows 7: Frequently Asked Questions.” Server 2. R2 and Windows 7 also come with an extended set of Bit. Locker Group Policy Object (GPO) configuration settings, including a new data recovery agent feature that allows centralized recovery of the Bit.
Locker- protected data in an Active Directory (AD) forest. A TPM is a special security chip that’s built in to most of today’s PC motherboards. Using Bit. Locker with a TPM adds security value, but it also adds setup and management complexity and overhead.
In addition, many organizations still have older computers that don't have TPMs. You can’t add a TPM to a computer; it’s either part of the system’s design, or it isn’t. I’ll walk you through the steps to get Bit.
Locker up and running on a computer that doesn't have a TPM, I’ll explain which tools you need instead, and I’ll cover best practices you can follow. On Windows 7 and Vista the Bit. Locker logic is installed as part of the OS installation process.
On Server 2. 00. 8 R2 and Server 2. Bit. Locker is an optional feature that you must install. You can do so using the Add features option that’s available from the Initial Configuration Tasks window or—after installation—from Server Manager.
Using Bit. Locker without a TPM to protect OS drives involves a Bit. Locker setup process that’s slightly different from the standard process that I outline later in the article; it also requires an additional GPO tweak that you must make prior to starting the Bit.
Install device drivers for Windows Vista. By default, most of the hardware is already supported by Windows Vista (Windows Vista contains 20.000+ drivers, which is. Windows Vista introduced a number of new I/O functions to the Microsoft Windows line of operating systems. They are intended to shorten the time taken to boot the. InformationWeek.com: News, analysis and research for business technology professionals, plus peer-to-peer knowledge sharing. Engage with our community.
Locker setup process. This requirement is necessary because the USB drive holding the Bit. Locker encryption key must be connected and readable through the BIOS when your system starts. The user must then insert the USB drive during startup to unlock the encrypted OS drive.
If your system doesn’t have a TPM, if your TPM is disabled, or if your TPM is set in the BIOS to be hidden in the OS, the Bit. Locker Drive Encryption wizard will display the error message shown in Figure 1 during the initialization phase. The wizard then also forces you to abandon the Bit. Locker setup—the Cancel button is the only option. Click Start, Run, type gpedit.
Enter. Double- click Require additional authentication at startup (for configuring Server 2. R2 or Windows 7 systems) or Require additional authentication at startup (Windows Server 2. Windows Vista (for configuring Server 2. Vista systems). Then click Enabled to enable changes to the policy, as Figure 2 shows. Click OK and close GPE. Use gpupdate. exe to update the GPO settings on your machine from the command line. The wizard will offer the Require a Startup key at every startup option as the only startup preference.
When you click this startup preference, the wizard will prompt you to insert a removable USB memory device to save the startup key. After the Bit. Locker Drive Encryption wizard completes successfully, you’ll be prompted to plug in the Bit. Locker USB key every time your system boots.
This setting is located in the \Computer Configuration\Administrative Templates\Windows Components\Bit. Locker Drive Encryption GPO container’s Control Panel Setup: Enable Advanced Startup Options entry. Bit. Locker requires a special system partition to store system files that can’t be encrypted and that are required to start or recover the OS. You can create this special system partitionusing the Bit. Locker Drive Preparation Tool.
For information about the tool, including instructions for installing it, see the Microsoft article “Description of the Bit. Locker Drive Preparation Tool.” In Server 2.
R2 and Windows 7 this tool is integrated into the Bit. Locker Drive Encryption wizard. The wizard can take a long time to run—possibly several hours depending on the drive size. Encrypting my 4. 5GBdata drive with Bit. Locker took about two hours. The good news is that the encryption occurs in the background and your computer is still useable during this time. However, I still recommend that you do nothing else on your machine until the encryption process is finished because your computer might run more slowly.
Although the wizard is robust, it’s still possible for something to go wrong (e. You’ll see a list of all the available volumes that can be encrypted with Bit.
Locker (OS, fixed, and removable drives). If you see a warning message—for example, a warning that there’s no TPM present—then you must first complete the steps outlined in the previous section. You can also right- click the drive icon in Windows Explorer and select Turn on Bit. Locker to start the wizard. Unless you choose to automatically unlock the drive, you must provide a password or smart card and associated PIN when you want to access the protected data drive.
The option to automatically unlock the drive is available only for fixed data drives if your OS drive is also Bit. Locker protected—in which case the data drive is automatically unlocked when you log on to Windows. If you want to use a smart card to unlock your drive, you need a special certificate and private key on your smart card.
For information about how to obtain such a certificate from an internal Certification Authority (CA) or how to generate a self- signed certificate for this purpose, see Microsoft’s “Bit. Locker Drive Encryption Step- by- Step Guide for Windows 7.” The wizard gives you the option to save the Bit. Locker recovery password to different locations: to a USB flash drive, to a file, or as a printed document. The Bit. Locker recovery password is of critical importance; it lets you regain access to your data if you forget your unlock password or lose your unlock smart card.
I recommend that you always save at least two copies of the recovery password. If you use a USB drive, you shouldn’t use the drive for anything else. Note that you can use the Bit. Locker Drive Encryption applet’s Manage Bit. Locker option to make more backups of the recovery key after the wizard is finished. Click Start Encrypting to proceed.
On removable data drives you have the option to pause and resume the encryption process (use the Pause button to pause). This option is useful if you need to remove the drive during encryption. The pause and resume option isn’t available during OS or fixed drive encryption. Click Close when the encryption process completes. When a drive is encrypted its drive symbol is covered with a lock symbol. A gold closed lock indicates that the drive is locked; a gray open lock is displayed after you unlock the drive. To unlock an encrypted drive, right- click it and select Unlock Drive.
The unlock screen displays, where you can enter your unlock password, as Figure 4 shows. In addition to volume- level encryption, Bit. Locker also provides a file- integrity checking mechanism.
As I mentioned earlier, this mechanism automatically assesses the status of boot files such as the BIOS, MBRs, and the NTFS boot sector when the system boots and before the OS starts. If a hacker inserts malicious code into one of the boot files or modifies one of the files, Bit. Locker will detect it and block the OS from starting. Bit. Locker will then enter into recovery mode, and you’ll need the Bit. Locker recovery password or recovery key to regain access to the system.
These disadvantages shouldn’t be underestimated in large Bit. Locker deployments, especially from a total cost of ownership (TCO) point of view. The Server 2. 00. R2 and Windows 7 version of Bit. Locker competes with third- party encryption tools—and surpasses them when it comes to integration with the Windows OS and its built- in management tools.